Configuring Wordfence Security beyond the basics

In my previous post I highlighted the need to harden your WordPress Installations. Here’s a quick follow-up, showing you how to configure the Wordfence Security plugin for added protection beyond its factory settings. Following these steps adds a significant amount of defensive capability to your website, so it’s well worth the ten minutes it’ll take a first-timer to do it.

I’ve added screenshots along the way, and a numbered screenshot gallery at the bottom, but the Wordfence Settings page is pretty long. With that in mind, here’s a link to a full-page screenshot, with all relevant settings numbered according to this post, just in case you get lost anywhere along the way.

Lets get Wordfence Security configured…

Set up the Firewall, and set Wordfence to Update Automatically.
The firewall provides an additional layer of protection, while letting Wordfence update automatically stops you from being left out in the cold with your site’s protection. The Threat Definitions update automatically, why shouldn’t the whole plugin? All it takes is a few clicks, and you’re running worry-free on that score [screenshot].

Switch on the Wordfence Premium Scanning Features
This trio of features is not as much about intrusion prevention as it is about locking down “Comment Spam” and checking to see if your WordPress Website is already infested with something that’s generating spam. These features are well worth enabling, since they provide an early warning system if something does manage to slip through the net, as Wordfence will report anomalies during its daily scanning activities.[screenshot]

Set an Administrator Email where WordPress sends Alerts
Wordfence Security is fairly vocal about communicating with you when it does things or finds problems. Setting an email address for these alerts to be sent to is crucial if you’re serious about staying up to date with your website’s security.Important Notice: After a while these alerts will start to look like routine. Don’t let that lull you into a false sense of security. Keep checking the alerts. You never know when one of them is going to tell you something new [screenshot].

Shorten your ‘Email Summary‘ period to once a Week
The Summary tells you about who’s been attacking your site the most during the specified period. By shortening this to “1 per Week” you’re halving your response time compared to Wordfence’s factory settings. Speaking personally, this step alone has enabled me to be far more responsive against up-and-coming wholesale hacking attempts. When this email arrives, take the time to see who’s been attacking you the most [screenshot].

Set Scans to include the Public Facing Site
In essence, this function tells Wordfence Security to check your website’s public front for vulnerabilities. I’m not entirely sure why this feature is not enabled by default, since checking your front-end for weak spots is a given for me. Whatever the case, tick the box and let Wordfence keep an eye on your front door [screenshot].

Scan Theme and Plugin files against their WordPress Repository Versions
Anyone who knows WordPress knows that Theme and Plugin files are one of the system’s main weak-spots. Ergo, it’s in your best interests to make sure they stay clean and free of infection. So, while these two features will slow your Wordfence scan down slightly, the inconvenience is more than offset by the fact that you’ll be told immediately if something’s not right with your website’s most vulnerable files. I’ve used this part of the scan to detect problems with clients’ sites on more than one occasion [screenshot].

Throttling and Blocking 404 Errors…
This is where we start to get proactive with Wordfence’s approach to protecting your WordPress website. By default 404 Errors* are treated quite leniently by Wordfence Security. However, if you heighten its vigilance on this score, it’s able to protect your site far more effectively against intruders looking for known places to exploit. By default Wordfence takes no action against human users or bots/scripts encountering 404 Errors. This liberal attitude could potentially be exploited by a determined attacker, so you might as well shut the door while you can. By setting the 404 Error Parameters from “Unlimited” to “10 per Minute” for human users before slowing them down, and to “5 per Minute” for known vulnerabilities before blocking the source outright, you’re able to forestall potential intruders before they have an opportunity to test the defenses too much. Further, by changing the “Block” time from five minutes to thirty minutes, you’re making life much harder for persistent attackers [screenshot].

Blocking “Brute Force Attacks”…
By default, Wordfence will let you try to log in with the wrong username/password combination twenty times before it takes any action.Fact:If you or one of your users have to use twenty login attempts to access your own site, you’re simply not serious enough to run a web enterprise of any kind.Go and try your hand at being a baker or something.Therefore you’re going to tell Wordfence to take a much sterner approach for login attempts using incorrect credentials. Face it, even on a bad day you should be able to get your own password right within four tries, so we’ll set it at that. Technically speaking, you shouldn’t ever need to use more than one attempt to recover your password, but we’ll be generous on this score, so we’ll also set it to four attempts before Wordfence Security blocks you. Once again we raise the “Blocking Time” from five minutes to half an hour, and we’re done. The next time we get a “Brute Force Attacker” knocking on our door, he’ll be back out on the street before he knows it.Lastly, it’s also a good idea to tick the “Immediately lock out invalid usernames.” This may seem a little harsh, but once again it comes down to the question of “How serious are you about your website?” [screenshot]

Blocking weak Usernames
If you’re still using the usernames “admin“, administrator“, “yourdomain“, or anything else even remotely obvious, stop reading this post and go set up a new and less guessable username for your WordPress Administrator Account. One of the Internet’s most hacked username/password combinations is “admin/password123“. No, I’m not making this up. Once you’ve picked a more secure username, enter the aforementioned weak ones into the text box seen in the screenshot below and let Wordfence indiscriminately ban anyone who tries to use them to log into your site. This is important… [screenshot]

So there you have it. Set things as I’ve described above, click “Save Changes“, and Wordfence Security goes from being effective to being “Extra Alert“. I use this combination of settings across every WordPress installation I own, and across a few of my clients’ too, and it’s never failed me yet.